2005 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY
by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson
The Computer Crime and Security Survey is conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad. The survey is now in its 10th year and is, we believe, the longest-running continuous survey in the information curity field.
This year’s survey results are bad on the respons of 700 computer curity practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. The 2005 survey address the major issues considered in earlier CSI/FBI surveys, thus allowing us to analyze important computer curity trends. The long-term trends considered in the survey include:
• Unauthorized u of computer systems.
• The number of incidents from outside, as well as inside, an organization.
• Types of attacks or misu detected.
• Actions taken in respon to co mputer intrusions.
This year’s survey also address veral emerging curity issues that were first probed only with the 2004 CSI/FBI survey. In this regard, some perspective is now gained on the below new issues that were introduced in last year’s survey. All of the following issues relate to the economic decisions organizations make regarding computer curity and the way they manage the risk associated with curity breaches:
▪ How organizations evaluate the performance of their investments in computer curity.
▪ The curity training needs of organizations.
▪ The level of organizational spending on curity investments.
▪ The impact of outsourcing on computer curity activities.
▪ The role of the Sarbanes-Oxley Act of 2002 on curity activities.
▪ The u of curity audits and external insurance.
▪ The portion of the IT (information technology) budget organizations devote to computer curity.
Key Findings
Prior to highlighting some key findings of this year’s survey, one should note that the number of respons incread dramatically this year. The respons went from 494 respons in 2004 to 700 respons in 2005, even though the sample size remained the same. This was likely due in some measure to an increa in the number of reminders nt to the sample group. See the end note regarding methodology for further details.
Some key findings:
▪ Virus attacks continue as the source of the greatest financial loss. Unauthorized access, however, showed a dramatic cost increa and replaced denial of rvice as the cond most significant contributor to computer crime loss during the past year.
▪ Unauthorized u of computer systems has incread slightly according to the respondents. However, the survey respondents reported that the total dollar amount of financial loss resulting from cybercrime is decreasing. Given that the total number of respondents to the survey has dramatically incread, the survey shows a dramatic decrea in average total loss per respondent. Two specific areas (unauthorized access to information and theft of proprietary information) did show significant increas in average loss per respondent.
▪ Web site incidents have incread dramatically.
▪ State governments currently have both the largest information curity operating expen and investment per employee of all industry/ government gments.
▪ Despite talk of increasing outsourcing, the survey results related to outsourcing are nearly identical to tho reported last year and indicate very little outsourcing of information curity activities. Among tho organizations that do outsource some computer curity activities, the percentage of activities outsourced is quite low.
▪ U of cyber insurance remains low (i.e., cybercurity insurance is not catching on despite the numerous articles that now discuss the emerging role of cybercurity insurance).
▪ The percentage of organizations reporting computer intrusions to law enforcement has continued its multi-year decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity .
▪ A significant number of organizations conduct some form of economic evaluation of their curity expenditures, with 38 percent using Return on Investment (ROI), 19 percent using Internal Rate of Return (IRR) and 18 percent using Net Prent Value (NPV).
▪ Over 87 percent of the organizations conduct curity audits, up from 82 percent in last year’s survey.
▪ The Sarbanes-Oxley Act has begun to have an impact on information curity in more industry ctors than last year.